Don’t Panic: DNSSEC isn’t DO or Die

Category

CTU Research

May 03, 2010By Nick Chapman

Recent rumors that the Internet is doomed are just as overblown as all the rest, except perhaps whenAOL started letting its users onto the Internet a fate from which the Internet never really recovered. The current rumor relates to DNSSEC (also known as Domain Name System Security Extensions), which cryptographically signs DNS results. This is done to prevent DNS cache poisoning and similar spoofing attacks. A number of sources have reported that the root DNS servers will begin signing responses this Wednesday, May 5, 2010. The concern is that after DNS responses are signed, they will be larger than normal DNS packets. To make things more concerning, older versions of the DNS specification state that DNS responses will never be larger than 512 bytes. There may be a large number of legacy firewall rules that still enforce this restriction. If the larger packets trip one of these rules, they will be discarded.

The good news is that only one Root DNS server, J, will be changed on May 5. DNSSEC support has been rolled out to all root servers. May 5 actually marks the end of this rollout process that began in January 2010. Even then, the changes that occur on May 5 are just a test. This is known as the DURZ rollout. DURZ stands for Deliberately Unvalidatable Root Zone it's a fake key that cannot be used to validate the zone. The actual root key has not been created yet. ICANNhas solicited applications from individuals to become trusted community representativesto verify the creation of the root key and its use to sign the root zone.

All the other root servers are already serving signed zones, but only if you ask for it. According toRFC 3225, the response will only be signed if the DO (DNSSEC OK) flag is set. As long as your resolver or client doesn't set this flag, you shouldn't see any difference.

It's not a bad idea to test if DNSSEC works in your environment. You can do this by using DNS-ORAC'sreply size test tool, or simply using dig. If you add the argument "+dnssec" to a dig query, then it will turn on the DO flag. Please note these tests are to verify if a firewall or other device will block large packets. The tests will not tell you if your DNS resolver software is capable of supporting DNSSEC.

;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800 IN A 192.5.6.30
c.gtld-servers.net. 172800 IN A 192.26.92.30
d.gtld-servers.net. 172800 IN A 192.31.80.30
e.gtld-servers.net. 172800 IN A 192.12.94.30
f.gtld-servers.net. 172800 IN A 192.35.51.30
g.gtld-servers.net. 172800 IN A 192.42.93.30
l.gtld-servers.net. 172800 IN A 192.41.162.30
a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30

;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800 IN A 192.5.6.30
c.gtld-servers.net. 172800 IN A 192.26.92.30
d.gtld-servers.net. 172800 IN A 192.31.80.30
e.gtld-servers.net. 172800 IN A 192.12.94.30
f.gtld-servers.net. 172800 IN A 192.35.51.30
g.gtld-servers.net. 172800 IN A 192.42.93.30
l.gtld-servers.net. 172800 IN A 192.41.162.30
a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30

The signed response includes the RRSIG ( Resource Record Digital Signature) record, which contains the signature itself. If you make a dig query with +DNSSEC set and you see a response that includes an RRSIG, you will likely be able to use signed zones without a problem. Furthermore, because the DO (DNSSEC OK) flag is not set by default in the majority of DNS clients you shouldn't experience any odd behavior with this change.